Documentation Home
Changelog

Broadleaf Commerce 6.2.3-GA

Released on May 31, 2022

This is the 3rd patch release for Broadleaf Framework 6.2.x. To upgrade a 6.2.x application to the 6.2.3-GA release, it should only require updating the parent pom.xml broadleaf-boot-starter-parent to 6.2.3-GA.

Note: Due to internal issue, framework version 6.2.3-GA was skipped and 6.2.3.1-GA is released instead. Bom and Boot-starter is still 6.2.3-GA, so it doesn't affect the upgrade.

New and Noteworthy

Library version upgrades

Following libraries were upgraded for security:

  • Spring core : Updated to 5.3.20
  • Spring Security : Updated to 5.6.4
  • Spring Boot : Updated to 2.6.7
  • Antisamy : Updated to 1.6.8
  • ESAPI : Updated to 2.4.0.0
  • Jackson : Updated to 2.13.2
  • Protobuf : Updated to 3.19.4
  • Commons-io : Updated to 2.11.0
  • Tika-core : Updated to 2.3.0
  • Moment : Updated to 2.29.3
  • Jquery-ui : Updated to 1.13.1

Note: If you have references to any of the jquery-ui files (js or css), please update it to the version mentioned above. For example if there are references to jquery-ui-1.10.2.custom.js file in header or footer, update it to jquery-ui-1.13.1.custom.js. Similarly, if you are using bootstrap, make sure to update it as well because vulnerabilities were reported.

Spring Upgrade

Because of recent security issues, we encourage everyone to upgrade and verify the version of spring that is being used in the system. It is defined in the pom of the framework but it's easy to override or misconfigure. Therefore, we highly recommend to verify it. Here are few things we encountered in the process of upgrading spring which might be helpful.

  • If spring is not upgrading with this tag <spring.version> in pom, try this <spring-framework.version>.
  • Property spring.resources.add-mappings=false has been renamed to spring.web.resources.add-mappings=false. Update this property name if it's used in your project..
  • Property spring.main.allow-circular-references=true was required to enable circular dependencies. It is added in our 'common.properties' file in the framework, so it might not be required to add in your project. However, keep this in mind if there are startup errors.

SpringBoot Upgrade

Due to the Spring/SpringBoot security vulnerabilities we were forced to upgrade both Spring and SpringBoot. Because of this upgrade there could be impacting changes with your application and/or deployment. One known impact is with SpringBoot configuration. If you deploy your application behind a firewall and use the Tomcat RemoteIP configuration, the SpringBoot properties have changed. Below are references to some of those changes related to the RemoteIP. Note that there are other RemoteIP property name changes not listed below. The links will direct you to the previous/new documentation for the properties.

Previous SpringBoot Version - 2.1.18 Common Application Properties

Previous Settings:
server.tomcat.internal-proxies
server.tomcat.protocol-header
server.tomcat.remote-ip-header

New SpringBoot Version - 2.6.7 Common Application Properties

New Settings:
server.tomcat.remoteip.internal-proxies
server.tomcat.remoteip.protocol-header
server.tomcat.remoteip.remote-ip-header

Use default SKU for inventory management

Introducing a new feature to use default SKU for inventory for any product with options and alternate SKUs. For example an event can have limited seats but different seating zones can be alternate SKUs. For every ticket sold, number of available seats will decrease from default SKU inventory. This option will be available in "Miscellaneous" section in the product form of the admin. This will require adding a column for the product and setting the following property. This property is required for all applications so make sure to add it in a common property file e.g. common-shared.properties.

enable.weave.use.default.sku.inventory=true

Here is a MySql for adding the required column.

ALTER TABLE blc_product ADD USE_DEFAULT_SKU_IN_INVENTORY BIT NULL;

Cache invalidation during purge job

There was an issue reported where items removed by the "Workflow Item Purge" job were still in cache causing NPE. Therefore, we are introducing an option to create cache invalidation event during the purge job. This can be enabled by setting this property

should.create.cache.invalidation.event.on.sandbox.items.purge=true

An at-a-glance view of the issues that were closed in this release:

Major Bugs(2)

  • Refactored RegexPropertyValidator to address an issue where it did not work properly with 'exploitProtection' enabled.
  • Resolved issues with refunding during cancellation of fulfillment orders. Made changes in OrderPaymentStatusServiceImpl to not update status if payment is fully captured.

Minor Bugs(7)

  • Changed arrow function in blc-admin.js to make it compatible with Ecmascript 5.
  • Fixed the issues with handling special characters when 'exploitProtection' enabled.
  • Removed the formatting of value in "Amount" field of offers because it's causing validation failures on update.
  • Fixed the issue with adding time limitations in the offer. Made changes in entityForm-status.js to fix extra "escape" of json string in some cases
  • Updated StaticAssetStorageServiceImpl to use try-with resources block when input streams are created, so that it will close automatically without 'finally' block.
  • Fixed an issue where filtering orders by "between dates" and then sorting produces an unparseable date error. Changed listGrid-filter.js to build url correctly.
  • Made changes in BasicPersistenceModule to improve validation. It now validates required properties first and does not allow rules persistent providers to save entity without required fields

Enhancements(4)

  • Removed unnecessary xalan dependency from the framework.
  • Introduced a new feature to use default SKU for inventory management which is mentioned above.
  • Library upgrades mentioned above.
  • Merged bug fixes and enhancements included in 6.1.11-GA

Total Resolved Issues: 13